docs | ||
images | ||
modules | ||
scripts | ||
.sops.yaml | ||
applyset-deploy.sh | ||
deployments.nix | ||
flake.lock | ||
flake.nix | ||
globals.nix | ||
kubenix.nix | ||
README.md | ||
secrets.yml | ||
utils.nix |
Kubernetes deployments
We use Kubenix to write Kubernetes deployments in Nix!
Images used
Legend:
- ✨: Image built with Nix (including NixNG)
- ✅: Official image or trusted publisher
- 🫤: Unofficial image
Status | Image | Comments |
---|---|---|
✨ | nixng-dnsmasq |
|
✨ | nixng-attic |
|
✨ | git.kun.is/home/blog-pim |
|
✅ | jellyfin/jellyfin |
|
✅ | linuxserver/deluge |
|
✅ | fallenbagel/jellyseerr |
|
✅ | lscr.io/linuxserver/radarr |
|
✅ | lscr.io/linuxserver/prowlarr |
|
✅ | lscr.io/linuxserver/sonarr |
|
✅ | lscr.io/linuxserver/bazarr |
|
✅ | ghcr.io/atuinsh/atuin |
|
✅ | postgres:14 |
Database for Atuin |
✅ | ghcr.io/paperless-ngx/paperless-ngx |
|
✅ | docker.io/library/redis:7 |
Database for Paperless-ngx |
✅ | nextcloud |
|
✅ | postgres:15 |
Database for Attic, Nextcloud, Paperless-ngx and Hedgedoc |
✅ | inbucket/inbucket |
|
✅ | lscr.io/linuxserver/syncthing |
|
✅ | codeberg.org/forgejo/forgejo |
|
✅ | pihole/pihole |
|
✅ | ghcr.io/immich-app/immich-server |
|
✅ | ghcr.io/immich-app/immich-machine-learning |
|
✅ | docker.io/redis:6.2-alpine |
Database for Immich |
✅ | docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0 |
Database for Immich |
✅ | tombursch/kitchenowl |
|
✅ | freshrss/freshrss |
|
✅ | ubuntu/bind9 |
|
✅ | quay.io/hedgedoc/hedgedoc |
|
🫤 | itzg/minecraft-server |
|
🫤 | teddysun/kms |
|
🫤 | tomsquest/docker-radicale |
|
🫤 | binwiederhier/ntfy |
|
🫤 | mpepping/cyberchef |
Acknowledgements
- dns.nix: A Nix DSL for defining DNS zones
- flake-utils: Handy utilities to develop Nix flakes
- kubenix: Declare and deploy Kubernetes resources using Nix
- nixhelm: Nix-digestible Helm charts
- sops-nix: Sops secret management for Nix
Prerequisites
To deploy to the Kubernetes cluster, first make sure you have an admin account on the cluster.
You can generate this using nix run '.#gen-k3s-cert' <username> <servername> ~/.kube
, assuming you have SSH access to the master node.
This puts a private key, signed certificate and a kubeconfig in the kubeconfig directory
Bootstrapping
We are now ready to deploy to the Kubernetes cluster. Deployments are done through an experimental Kubernetes feature called ApplySets. Each applyset is responsible for a set number of resources within a namespace.
If the cluster has not been initialized yet, we must bootstrap it first. Run these deployments:
nix run '.#bootstrap-default-deploy'
nix run '.#bootstrap-kube-system-deploy'
Deployment
Now the cluster has been initialized and we can deploy applications.
To explore which applications we can deploy, run nix flake show
.
Then, for each application, run nix run '.#<application>-deploy'
.
Or, if you're lazy: nix flake show --json | jq -r '.packages."x86_64-linux"|keys[]' | grep -- -deploy | xargs -I{} nix run ".#{}"
.